The Center for Security Studies (CSS) at ETH Zurich specializes in research, teaching, and infor-mation services in the fields of international relations and security policy. The CSS also acts as a consultant to various political bodies and the general public. The Center is engaged in research projects with a number of Swiss and international partners, focusing on new risks, European and transatlantic security, strategy and doctrine, state failure and state building, and Swiss foreign and security policy.

The Crisis and Risk Network (CRN) is an Internet and workshop initiative for international dialog on national-level security risks and vulnerabilities, critical infrastructure protection (CIP) and emergency preparedness.As a complementary service to the International Relations and Security Network (ISN), the CRN is coordinated and developed by the Center for Security Studies at the Swiss Federal Institute of Technology (ETH) Zurich, Switzerland. (www.crn.ethz.ch)

ETH ZurichCSS CRN REPORT

Focal Report 4

Critical Infrastructure ProtectionProtection Goals

Zurich, February 2010

Crisis and Risk Network (CRN)Center for Security Studies (CSS), ETH Zürich

Commissioned by the Federal Office for Civil Protection (FOCP)

Supported by ISNCRN

Purpose: As part of a larger mandate, the Swiss Federal Office for Civil Protection (FOCP) has tasked the Center for Security Studies (CSS) at ETH Zurich with compiling ‘focal reports’ (Fokus-berichte) on critical infrastructure protection and on risk analysis to promote discussion and provide information about new trends and insights.

Authors: Elgin Brunner, Myriam Dunn Cavelty, Jennifer Giroux, Manuel Suter

© 2010 Center for Security Studies (CSS), ETH Zurich.

Contact:Center for Security StudiesETH ZürichHaldeneggsteig 4, IFWCH-8092 ZürichSwitzerlandTel.: +41-44-632 40 25

crn@sipo.gess.ethz.chwww.crn.ethz.ch

Contracting entity: Federal Office for Civil Protection (FOCP) Project lead FOCP: Stefan Brem, Head Risk Analysis and Research Coordination Contractor: Center for Security Studies (CSS), ETH Zurich Project supervision ETH-CSS: Myriam Dunn, Head New Risks Research Unit, Andreas Wenger, Director CSS

Disclaimer: The views expressed in this focal report do not necessarily represent the official po-sition of the Swiss Federal Office for Civil Protection, the Swiss Federal Department of Defence, Civil Protection, and Sport or any other governmental body. They represent the views and inter-pretations of the authors, unless otherwise stated.

1

TABLE OF CONTENTS

1 INTRODUCTION ..............................................................................................................................................21.1 Focal Reports: The Task .................................................................................................................................................21.2 Protection Goals in Critical Infrastructure Protection ....................................................................................21.3 Structure and Content of Focal Report .................................................................................................................4

2 CRITICAL INFRASTRUCTURE PROTECTION GOALS IN COMPARISON .........................................52.1 Level 1: National Security Strategies .......................................................................................................................62.2 Level 2: CIP Strategies ................................................................................................................................................... 72.3 Level3:Sector-SpecificProtectionGoals ..............................................................................................................8

3 EVALUATION AND IMPLICATIONS ...........................................................................................................113.1 Three Types of Protection Statements on three Levels of Strategy: Principles – Policies – Goals ... 113.2 Purposes and Characteristics of CIPGs ................................................................................................................ 113.3 TwoIntegratedProcessesforDefiningProtectionGoals .............................................................................133.3.1 TheDefinitionofPrinciplesandPoliciesinPoliticalProcesses ..................................................................133.3.2 TheDefinitionofProtectionGoalsinConsultativeProcesseswithPractitioners ........................... 143.4 Conclusion ...................................................................................................................................................................... 15

4 ANNEX ..............................................................................................................................................................184.1 Protection Goals (Texts) ........................................................................................................................................... 184.2 Annotated Bibliography ............................................................................................................................................224.2.1 Policy documents/reports .......................................................................................................................................224.2.2 Academic literature ....................................................................................................................................................23

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

2

1.1 Focal Reports: The Task

In support of Switzerland’s critical infrastructure pro-tection (CIP) efforts and CIP strategy development, the Swiss Federal Office for Civil Protection (FOCP)has tasked the Center for Security Studies (CSS) at ETH Zurich with producing focal reports (Fokusberi-chte) on critical infrastructure protection.

These focal reports are compiled using the follow-ing method: First, a ‘scan’ of the environment is performed with the aim of searching actively for information that helps to expand and deepen the knowledge and understanding of the issue under scrutiny. This is a continuous process based on the following sources:

� Internet Monitoring: New publications and docu-ments with a) a general CIP focus and b) a focus on scenarios with specific importance for theFOCPareidentifiedandcollected.

� Science Monitoring: Relevant journals are identi-fiedandregularlyevaluated(withthesametwofocalpointsasspecifiedabove).

� Government Monitoring: The focus is predomi-nantly on policy developments in the United States, Canada, Sweden, Norway, Germany, the Netherlands, and the United Kingdom as well as other states in the European vicinity that are rel-evant to Switzerland.

Second, the material collected is filtered, analyzed,and summarized in the focal reports.1

1 Previous focal reports can be downloaded from the website of the Crisis and Risk Network CRN (http://www.crn.ethz.ch).

1.2 Protection Goals in Critical Infrastructure Protection

For this focal report, we were tasked with analyzing protection goals in the area of CIP – a topic that is largelyabsentfromthescientific-academicaswellasthe more practically oriented CIP literature. In this re-port, we use the ‘Schutzziel Modell’ (Protection Goals Model), published by the Swiss National Platform for Natural Hazards (PLANAT) in 2009, as a starting point for our theoretical-conceptual analysis. It introduces amodel for developing unified protection goals inthe natural hazards domain.2 As we consider this document to be of generic value for the discussion, wewillbrieflysummarizeitscontent.

The PLANAT document emphasizes that the main prerequisites for a protection goal model are the de-termination of a) the objects/assets to be protected, b) the identification of areas of responsibility withregardtotheirprotection,c)theclarificationofwhatconditions the protection goals need to meet, and d) what general principles these conditions adhere to:3

a) Objects to be protected: The PLANAT document des-ignates human life and welfare as the paramount asset to be protected, followed by protection of animals and substantial material assets (which contains infrastructures as a sub-category).

b) Responsibilities: Individuals can assume that state institutions(orotherofficialbodies)limitcertainrisks due to legal requirements or generally ac-cepted social practices. Institutions, on the other hand, can expect potentially affected parties to take their own precautions when it is their own re-

2 Nationale Plattform Naturgefahren PLANAT (2009), Schutzziel-Modell. http://www.planat.ch/ressources/planat_product_de_1261.pdf.

3 PLANAT, pp. 1-11.

1 INTRODUCTION

Protection Goals

3

sponsibility. A central prerequisite for this ‘division of labor’ is full transparency and communication about who is responsible when and for what.

c) Requirements: According to PLANAT, protection goals have to meet certain conditions, for example: practical, scientific-technical, ethical, legal, eco-nomic, social, and environmental requirements.

d) Principles: Protection goals are tied to decisions with potentially substantial political/social con-sequences, for example about human lives. They must therefore be inferred in a transparent and comprehensible way. In addition, they must have a high degree of democratic legitimacy. PLANAT also lists the two guiding principles of due diligence and sustainability.

The last point is closely related to the function that the PLANAT document attributes to protection goals – stating that, in theory, protection goals provide guidanceforwhenspecificmeasuresneedtobetak-en because they help to differentiate acceptable risks from unacceptable risks. In this respect, they are a threshold value in the risk analysis and risk manage-ment process. Figure 1 illustrates this use of protec-tion goals in the risk management cycle4:

4 PLANAT, p. 1.

Understood this way, protection goals are numerical boundary values related to indicators (such as num-ber of [acceptable] human deaths or monetary dam-age) and identifiable objects in need of protectionfromspecificthreats/hazards.ThePLANATdocumentalso delineates the probability values (the probability that severe damage will result).5

In short, the PLANAT protection goal model aims to develop measurable, numeric protection goals that help to specify acceptable and unacceptable risks in the risk management process. While such measures might exist for specific installations (such as damsor power plants), it is futile to adopt a similar mod-el to CIP as a whole. The reason is that most CIs are interdependent and embedded in a highly complex environment,whichmakesthequantificationofrisksextremelydifficult toachieve, ifnotoutright impos-sible.However,themodel(andspecificallythevariousconcepts behind it) can be used as a loose framework for the comparison and analysis of protection goals in CIP practices.6

5 PLANAT, p. 13.

6 The usability of the PLANAT model is described in more detail in an additional document: “Grenzen und Möglichkeiten der Übertragbarkeit des Schutzziel-Modells (PLANAT, Mai 2009) auf den Bereich Schutz kritischer Infrastrukturen: Kurzab-handlung des Center for Security Studies (CSS) zuhanden des Bundesamts für Bevölkerungsschutz (BABS)”.

Risk analysis Risk managementRisk assessment

acceptable risk unacceptable risk

Protection Goal

Figure 1: Role of protection goals in the risk analysis process

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

4

1.3 Structure and Content of Focal Report

Guided by the basic assumptions described in the PLANAT protection goal model, this report will ex-plore the manner in which protection goals are de-finedinCIP.Indoingso,wewillidentifyandanalyzethe protection goals in various countries and address the following questions based on the empirical anal-ysis:

� What protection goals do states define in thepractice of CIP?

� What purpose do they serve? � What aspects do they cover? � Whodefinesthem?

In conclusion, we will discuss what seems to be miss-ing from the CIP discussion: how applicable and use-ful are protection goals for CIP and what aspects they should cover.

The report has three parts:

� Thefirstpartexamineshowprotectiongoalsarehandled in eight countries: Australia; Canada; Ger-many; Netherlands; Norway; Sweden; the United Kingdom; and the United States.

� The second part strives to evaluate these practic-es with regards to the above questions and com-pare them to the PLANAT model.

� The third part is the annex, containing a) excerpts sketching the protection goals in the policy docu-ments analyzed and b) an annotated bibliography.

Protection Goals

5

Thischapteridentifiesandcomparestheprotectiongoals in critical infrastructure protection (we ab-breviate them by using CIPG) delineated in officialdocuments released by Australia, Canada, Germany, the Netherlands, Norway, Sweden, the United King-dom (UK), and the United States (US). The analysis revealed that there is no universal understanding or use of the term ‘protection goal’ or a related concept. Inordertoovercomethisdifficulty,wedevelopedourownworkingdefinitionofprotectiongoals (looselybasedon thedefinitiongivenby thePLANATdocu-ment)thatisdrawnfromafirstreadingofthepolicydocuments as well as our previous expertise. Within the literature we looked for statements that identi-fiedoneorallofthebelow:

� an object to be protected; � the type of threat to which these objects are sub-

ject; � the means by which these objects are to be pro-

tected.

In this regard, we used the following loose defini-tion of ‘protection goal’ in CIP to identify the relevant content:

A protection goal is a statement about a desired (or required) state of protection and operation of a system (or parts of a system) against one or a variety threats.

The analysis showed that there are CIPG constructs on three hierarchically distinguishable levels. Not surprisingly, CIPGs become more concrete the fur-ther down one moves:

� First, protection goals are described on a strategic level – linked to national security strategy docu-ments.

� Second, protection goals are described in CIP strategies or similar documents.

� Third,sector-specificCIPdocumentsstrivetofur-therdefineandspecifyprotectiongoals.

In the following, we address the CIPGs on these three levels. We therefore use a very broad understanding of protection goals. Table 1 summarizes the availabil-ity of documents on these three levels for the coun-tries that we scrutinized. Please refer to Annex A for the relevant text excerpts.

2 CRITICAL INFRASTRUCTURE PROTECTION GOALS IN COMPARISON

‘Protection Goals’ in National Security Strategy

CIP Strategy (with Protection Goals)

Sector-Specific Protection Goals

Australia X (x) IT

Canada x X

Germany X (x) IT

Netherlands x X

Norway X (x) IT

Sweden (x) IT

United Kingdom x X

United States x X x all sectors

Table 1: Availability of documents on three levels of Protection Goals

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

6

2.1 Level 1: National Security Strategies

Today, CIP is considered part of national security in most countries. Canada, the Netherlands, the United Kingdom (UK), and the United States (US) have na-tional security strategies that contain CIPG on a stra-tegic level. As is to be expected, these ‘goals’ are gen-erally vague, all-embracing, and fairly abstract.

At the highest strategic level, the US references the protection of critical infrastructures in its National Strategy for Homeland Security. The document calls for the ‘Protection of the American people, our criti-cal infrastructures, and key resources’7 and outlines three specific goals for critical infrastructures pro-tection: deter the terrorist threat; mitigate the vul-nerabilities; and minimize the consequences. Fur-thermore, this document singles out the National Infrastructure Protection Plan (NIPP) – developed pursuant to the Homeland Security Presidential Direc-tive-7 – as the main guidance for the efforts to pro-tect critical infrastructures. The NIPP is designated within this national strategy as the tool to ‘ensure that our government, economy, and public services continue to function in the event of a man-made or natural disaster.’8 As elaborated in section 2.3 below, thistaskiscarriedoutthroughsector-specificplansdeveloped within identified critical infrastructuresand key resources.

Turning to the Netherlands where the national se-curity strategy states that its goal is to protect the ‘vital interests of the Netherlands in order to prevent societal disruption’.9 In this case, CIP is seen as the

7 Homeland Security Council (2007), National Strategy for Homeland Security, p. 1.

8 Homeland Security Council (2007), op. cit., p. 26.

9 Ministry of the Interior and Kingdom Relation (2007), National Security Strategy and Work Programme 2007-2008, p. 16.

operational tool to ensure this. The Dutch National Security Strategy depicts CIP as risk management and positions it on a par with crisis management; the two concepts together cover the operational aspects of security, while national security covers the strategic aspects.Moreover,itspecifiesthat‘withcriticalinfra-structures the emphasis is primarily on prevention (measures for better security of the critical sectors), while with crisis management the emphasis is on preparation (preparation for incidents), response (if an incident has occurred) and after-care.’10

While the Dutch strategy locates critical infrastruc-ture protection in to the context of both national se-curity and crisis management, Canada and the Unit-ed Kingdom view critical infrastructure vulnerability and its protection as a main challenge of emergency management.TheUK,forexample,definesitasthe‘single overarching national security objective’ to pro-tect ‘the United Kingdom and its interests, enabling its people to go about their daily lives freely and with confidence,inamoresecure,stable,justandprosper-ous world’.11 Furthermore, the British national secu-ritystrategyidentifiescriticalinfrastructuresamongthe key assets to be protected, stating the goal as ‘to improve the protection of critical infrastructures, hazardous sites and materials, and crowded places’.12

These examples reveal the interrelationship between national security and CIP. In the former, national se-curity is often described as being in some way related to ensuring the continuity of life, while in the latter CIP is the way to ensure this on an operational level. In other words, because critical infrastructures are

10 Ministry of the Interior and Kingdom Relation (2007), op.cit., p.13.

11 CabinetOffice(2008),TheNationalSecurityStrategyoftheUnited Kingdom. Security in an interdependent world, p. 5.

12 CabinetOffice(2008),op.cit.,p.26.

Protection Goals

7

regarded as the ‘fabric of society’, the protection of society is equated with the protection of CI. This has several implications for protection goals: a) Because CIP is – among other things – a national security is-sue, there is a level of secrecy when it comes to con-crete aspects such as protection goals; b) as noted in the PLANAT document, protection goals are directly linked to human life. The stakes are thus very high. If the security of entire nations depends on CIP mea-sures, then protection goals in CIP are – or should have to be – top-level strategic-political decisions. This is an important aspect that will be addressed in some more detail below.

2.2 Level 2: CIP Strategies

Similar to national security strategies, CIPGs formu-lated in CIP strategy papers (usually at the national/federal level) tend to be very general. For instance, ratherthanprovidingspecificmandatesor(measur-able values) they offer guiding principles or mission statements. With that said, on the second level, more information can be found about the objects to be protected, the measures, and the threats.

There are many similarities between CIP strategy documents and one common element is the im-portance of the concepts of resilience and of public-private partnerships, in different combinations. For example, the overarching goal of the United States’ National Infrastructure Protection Plan (NIPP), one of the more elaborate strategies, is to “build a safer, more secure, and more resilient America by prevent-ing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapaci-tate, or exploit elements of our Nation’s CIKR [Critical Infrastructures and Key Resources] and to strengthen national preparedness, timely response, and rapid

recovery of CIKR in the event of an attack, natural disaster, or other emergency.”13 Similarly, in Canada, the document Working Towards a National Strategy and Action Plan for Critical Infrastructure: Strategy (2008) highlights the importance of enhancing re-silience as a ‘quasi’ critical infrastructure protection goal ‘that can be achieved through the appropriate combination of security measures to address hu-man induced intentional threats; business continu-ity practices to deal with disruptions and ensure the continuation of essential services; and emergency planning to ensure adequate response procedures are in place to deal with unforeseen disruptions to critical infrastructure.’14 Furthermore, this document reveals that partnerships, risk management, and in-formation-sharing are viewed as key components of CIP.InAustralianofficialdocuments,thestatedCIPGsare: ‘to identify critical infrastructure, analyze vulner-ability, and interdependence, and protect Australia from and prepare for, all hazards.’15

Some of the strategies delegate the definition ofCIPGs to specific bodies. In Australia, for instance,the Trusted Information Sharing Network for Criti-cal Infrastructure Protection (TISN) – a collaborative platform – brings public and private owners and operators of critical infrastructure together to build relationships, exchange information, and articulate protection goals and methods for analysis. In the United Kingdom, the Centre for the Protection of

13 Department of Homeland Security (2009), National Infra-structure Protection Plan. Partnering to enhance protection and resiliency, p. 1.

14 Her Majesty the Queen in Right of Canada (2009), National Strategy and Action Plan for Critical Infrastructure, Available at: http://www.publicsafety.gc.ca/prg/em/ci/_fl/ntnl-eng.pdf

15 Elgin M. Brunner and Manuel Suter (2008), International CIIP Handbook 2008/2009. An Inventory of 25 National and 7 International Critical Information Infrastructure Protection Policies, Center for Security Studies, ETH Zurich, p. 49.

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

8

National Critical Infrastructure (CPNI) operates in a comparable way.

Among the countries studied, Germany is an inter-esting and exceptional case. In the document Schutz Kritischer Infrastrukturen – Risiko- und Krisenmana-gement. Leitfaden für Unternehmen und Behörden (2007), protection goals play an important role. The document differentiates between strategic and ope-rational protection goals.16 On the one hand, strategic protectiongoalsaredefinednotintermsofwhattheyare but by what they should achieve. Further, they are seentobeinfluencedbyethical,operative,technical,financial,social,andenvironmentalaspectsandmustdescribe the nominal condition. This resonates with the PLANAT model and its statement that protection goals must live up to a variety of requirements.17 So to allow for evaluation, the goals, as formulated by the German strategy paper, are supposed to be speci-fic,measureable,implementable,realistic,andtime-phased.18 Operational protection goals, on the other hand, are meant to help with the implementation of protection measures. The same document also deli-vers examples of protection goals, including: the best possible protection of personnel and other attende-es; maintaining the functionality of an infrastructure in extreme situations; compliance with legal require-ments; avoidance of high economic costs; avoidance of a potential image loss.19 These details are by far the most elaborate that we were able to identify in the fieldofCIP– further research intohow these ideas

16 Bundesministerium des Innern (2007), Schutz Kritischer In-frastrukturen – Risiko- und Krisenmanagement. Leitfaden für Unternehmen und Behörden, p. 14. Available at: http://www.bbk.bund.de/cln_027/nn_398734/SharedDocs/Publikationen/Publikationen_20Kritis/Leitfaden__Schutz-Kritis.html

17 PLANAT, pp. 9f.

18 Bundesministerium des Innern (2008), p. 15.

19 Bundesministerium des Innern (2008), op.cit., p. 16.

arebeing implemented couldbe verybeneficial forthe Swiss CIP strategy process.

2.3 Level 3: Sector-Specific Protection Goals

More tailored protection goals – very often tied spe-cificallytodefinitionandimplementationofprotec-tionmeasures– canbe found in sector-specificCIPplans. The United States (US) is the only country pursuingacomprehensivesector-specificprotectionapproach – articulated in the 2006 (and updated ver-sion of 2009) National Infrastructure Protection Plan (NIPP),whichprovidedthefirstroadmapforprotec-tion of the 18 critical infrastructure/key resources (CIKR).20 Using a risk management framework, pub-lic and private agencies are required ‘to prioritize protection activities within and across the sectors in an integrated, coordinated fashion.’ In addition, sector-specificfederalagencies21 became responsible for coordinating CIP efforts with relevant public and private stakeholders and developing sector-specificplans. Thus far, nine plans have been made available in the following areas: agriculture and food, bank-ing and finance, communication, defense indus-trial base, energy, information technology, national monuments and icons, transportation systems, and water. In all of the sectors discussed, the respective planslistspecificimplementationmeasuresusedtoachieve the goals.22

20 Homeland Security Presidential Directive 7: Critical Infrastruc-tureIdentification,Prioritization,andProtection.Availableat:http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm.

21 Foracompletelistofthesector-specificagencies,seetheNa-tional Infrastructure Protection Plan, p. 19. Available at: http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.

22 Other plans can be retrieved at http://www.dhs.gov/files/pro-grams/gc_1179866197607.shtm.

Protection Goals

9

All sector plans share a common framework (see Figure 2);23 however, they also allow for flexibilityand encourage customization. The water sector, for example, has developed the following main goals:24 1) sustain protection of public health and the envi-ronment; recognize and reduce risks in the water sector; 2) maintain a resilient infrastructure; 3) in-crease communication, outreach, and public confi-dence.25Atfirstglance, thesegoalsagainappear tobe rather general. However, more information can be found in the implementation efforts. For instance, to achieve goal 1, the ‘Water Security Initiative’ and ‘Wa-ter Laboratory Alliance’ were designed to detect wa-ter contamination, the former serving as a warning system.26 In goal 2, measures include performing risk assessment to carrying out a consequence analysis project that aims to help improve security.27

In the United Kingdom (UK), which has 9identifiedsectors, thereare sector-specificplans,but theyarenot publicly available, according to a CPNI expert. Each sector is allocated the task of identifying critical assets to protect as well as the mandate to formu-late tailored plans to protect those assets, with the overarching goal to reduce vulnerability in the sector. In the Netherlands, there is no indication that sector-specificplansexist,however,eachsectordefinesandimplements its own protection policies, which seems to indicate that bottom-up efforts to develop protec-tion goals are encouraged. Similarly, Germany does not define specific protectiongoals outside of call-ing for prevention, reaction, and sustainability of its critical infrastructure (and outside of the very general

23 http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.

24 http://www.dhs.gov/xlibrary/assets/nipp-ssp-water.pdf.

25 Ibid., pp. 65ff.

26 Ibid., p. 65.

27 Ibid., p. 66.

framework provided in its document Schutz Kritischer Infrastrukturen). Despite this, it has, like some coun-tries,identifiedanextensivelistofCIsectorsandsub-sectors that should be protected. Though Germany doesnotdefinetheprotectiongoalsofspecificsec-tors in great detail, the extent to which it has out-lined the varying sectors, sub-sectors, and the critical IT-dependent systems within each sector points to some underlying effort to create more customized protection goals.

TheITsectoristheonesectorforwhichwefindsec-tor-specificprotectiongoaleffortsincountriesotherthan the US. For instance, Germany emphasizes the importance of the information infrastructure, as il-lustrated in the 2005 Nationaler Plan zum Schutz der Informationsinfrastruktur (NPSI) and the subse-quent 2007 report Umsetzungsplan KRITIS. For the

NIPP SSP framework

� identify priority CIKR and functions within the sector

� assess sector risks

� assess and prioritize assets, systems, and networks

� developdetailed,sector-specificrisk-mitiga-tion programs

� provide protocols for the transition between steady-state ––CIKR protection and incident response in an all-hazards environment

� use metrics to measure and communicate program effectiveness and risk management progress

� address R&D requirements and activities

� identify the process used to promote coope-ration and information-sharing within the sector.

Figure 2

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

10

IT sector, the CIP Implementation Plan in Germany (UP KRITIS)28 contains protection goals. Aside from prevention, reaction, and sustainability, the protec-tiongoalsinthissectorareidentifiedasensuringtheavailability, integrity,andconfidentialityof informa-tion and information technology. The same goals are defined inNorwegianand Swedishdocuments. Forinstance, the Information Security in Sweden – Situa-tional Assessment 2009 definesinformationsecurity‘as the ability to maintain the desired level of con-fidentiality, integrityandavailabilitywhenhandlinginformation.’29 Comparably, in Norway, the National

28 http://www.bmi.bund.de/cln_144/SharedDocs/Downloads/DE/Broschueren/DE/2007/Kritis.html (in German)

29 Information Security in Sweden: Situational Assessment 2008, p. 13

Guidelines to Strengthen Information Security 2007–2010 identified the same three protection goals inthe area of information security.30 As one would ex-pect, these goals are congruent with the core con-ceptsofinformationsecurity,afieldestablishedlongbefore CIP became a policy issue of high saliency.

30 The Norwegian Government, 2007. National Guidelines to Strengthen Information Security 2007–2010, Available at: https://www.nsm.stat.no/Documents/KIS/Publikasjoner/Na-tional%20Guidelines%20on%20Information%20Security%202007-2010.pdf.

Protection Goals

11

In the following, we begin by analyzing in the form in which protection goals appear in publicly avail-able documents, specifically identifying three typesof protection goals (3.1). We further address the pur-pose that the protection goals serve and the aspects they cover (3.2). Linked to these conceptual analyses isthemorepracticalaspectofwhodefinestheCIPGsonwhichlevels(3.3).Inafinalchapter(3.4),webrieflycompare protection goals in CIP practices with the PLANAT-ideal type and in doing so take into consid-eration the applicability and usefulness of protection goals in CIP and the aspects they should cover.

3.1 Three Types of Protection Statements on three Levels of Strategy: Principles – Policies – Goals

The analysis of CIP documents covered in this report has shown that ‘protection goals’ vary with regard to their specificity and purpose. Aswe highlightedin the previous section, on the level of national se-curity strategies and policy papers CIPG tend to use rather general terms such as ‘prevention’, ‘mitigation of vulnerabilities’, or ‘protection of vital interests’. We believe it would be useful to label these kind of state-ments ‘protection principles’ rather than protection goals, because they provide the general framework for CIP. For the purpose of this analysis protection principles are on level one.

On the second level, slightly more specific protec-tion goals are found in CIP strategies. These goals, formulated for all CIs, can be described as ‘protection policies’,astheygenerallydefinewhatmustbepro-tected from which threats and the method to do so. Comparably,thesearemorepreciseandspecificthanthe protection principles but still follow a systemic-abstract logic as they refer to the totality of all CIs

rather than to one sector or to one infrastructure. On this aggregated level, protection goals include exam-ples like: ‘identifying critical infrastructures and key resources’, ‘enhancing resiliency’, or ‘analyzing inter-dependencies and vulnerabilities’.

Thethirdlevelisthesector-specificdimensionwheregoalsaredefined.On this level, theCIPGsaremoreconcrete. Examples include goals that aim to ensure ‘the availability, integrity and confidentiality of in-formation and information technology’ or ‘sustain protection of public health and the environment’. Theymaybe referred to as (sector-specific) ‘protec-tion goals’.

3.2 Purposes and Characteristics of CIPGs

Characteristics and purposes differ for each of the three identified levels. Protection principles, for in-stance, are formulated in national security strate-gies or policy papers and can provide guidance to the administrative bodies in charge of CIP by describing potential threats and risks as well as highlighting the necessity to tackle them. In addition, the national se-curity strategies and policy papers provide the frame-work for the risk analysis and management process-es. While they differ from the concept of protection goals as presented in the PLANAT model, protection principlesareveryimportantinacomplexfieldsuchas CIP as they ensure a necessary level of coherence between different levels of government and help in developing measures to ensure security.

In order to analyze and manage the risks in CIP, pro-tection principles need to be translated into less abstract concepts. This translation process happens on the second level, the level of protection policies. Protection policies specify what protection principles

3 EVALUATION AND IMPLICATIONS

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

12

such as ‘prevention’ or ‘resilience’ mean for CIP and identify means for identifying, assessing, and man-aging the risks to CI. Such protection policies state, for example, that prevention shall be improved by public-private collaboration or that the resilience of CI (understood as the entirety of CIs, not as individual infrastructures) shall be strengthened by informa-tion-sharing between the owners and operators of CIs. These policies are necessarily broad as it is not possible to determine criteria for all sectors of CIs: the differences are too big. But, at the same time, the interdependencies between the different CIs make a coherent approach indispensable. One sector cannot be secure if another sector on which it depends is

not. The development of shared frameworks for risk analysis and management is a crucial step in CIP, as itallowstheformulationofsector-specificprotectiongoals without risking a loss of coherence within CIP as a whole.

That leads us to the third level of CIPGs on a sector-specificlevelwherethegoalsneedtobesufficientlyspecific to enable implementation (cf. the conceptof operational protection goals in the German ap-proach). On this level, there needs to be clarity with regards to the overall aim and purpose of protection efforts, including what risks to focus on. Therefore, thesegoalscomeclosesttofittingthedefinitionof

Protection Principles

Protection Policies

Protection Goals

National Security Strategies

CIP Stategies

Sector-Specific Plans

Identify overarching protection areas (economy, CI, etc.) and principles, such as adopting all-hazards approaches and risk paradigm, enhancing resilience.

Identify the CIs to be protected (key resources, critical infrastructure sectors) and how to protect them (enhance resilience, address interdependencies, etc.).

Identify common protection goals: information-sharing, risk manage-ment frameworks, early warning, identi�cation of CI and interdepend-encies.

Figure 3

Protection Goals

13

a protection goal as a threshold between acceptable and unacceptable risks, as specified in the PLANATdocument. However, such a purpose demands a pre-ciseandquantitative(=numerical)definitionofdam-age levels. Such metrics are lacking in the (public) CIP discussion. It is likely that they exist in some cases (forexample,inthecaseofclearlyidentifiableassetssuch as nuclear reactors), but are not publicly avail-able. It is also likely that in most cases such numerical values do not exist. In large and highly complex sec-tors such as the IT sector, such thresholds only make little sense. In addition, the processes of negotiation between public and private actors may hamper the formulation of clear-cut protection goals.

This hierarchy between the three levels and types of protection statements is illustrated in Figure 3.

3.3 Two Integrated Processes for Defining Protection Goals

From the above, it becomes clear that public and pri-vateactorsplay specific roles in the formulationofprinciples, policies, or goals. We can distinguish be-tween twoprocesses that lead to the definition ofCIPGs. One the one hand, protection principles are formulated in political processes and formulated in national security strategies. On the other hand, sec-tor-specific protection goals are formulated in col-laboration with the owners and operators of CI. The function of protection policies is to connect these top-down and bottom-up processes (which cannot be regardedasbeing independentsince they influ-ence each other) and incorporate them into one co-herentapproachtoCIP.Morespecifically,onallthreelevels CIPGs are usually the result of both political decisions and consultations with the private sector. However, public and private sectors have different re-

sponsibilities when it comes to protection goals. It is the role of the public actors to ensure that protection goals developed on the third level are in line with the protectionprinciplesandpoliciesdefinedonthefirstand second levels. The private actors are responsible for ensuring that the protection goals are realizable and meaningful for the specific demands of theirsector.

3.3.1 The Definition of Principles and Policies in Political Processes

Political decision-makers set general goals (=prin-ciples) for CIP and thereby guide the development ofmore specific protection goals. They also decidewhat needs to be protected from which threats and by which means.31 The question of ‘what needs to be protected’ is a key question in CIP that is closely relat-edtothedefinitionofprotectiongoals.Thecritical-ity of infrastructures depends on factors such as the importance for other infrastructures, for the national economy, or for society at large. However, these fac-torsaredifficulttoquantifysatisfactorily,sothattheidentification of CIs remains an inherently politicaldecision. In consequence, the CI sectors and subsec-tors are often listed in strategy papers or government directives.32

Anotherpoliticaldecisionthataffectsthedefinitionof protection goals is the question of which threats the CIs need to be protected from. The potential threat spectrum ranges from terrorist attacks to hu-man error to technical failures and also includes nat-ural hazards/disasters. To avoid turf battles among agencies, it is therefore crucial to address the dis-

31 Cf. Caudle (2009).

32 Such as, e.g: Department of Homeland Security (2003), Homeland Security Presidential Directive 7: Critical Infrastruc-tureIdentification,PrioritizationandProtection.

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

14

cussion on sources of threats at the political level. In response to that need, many strategies and policy papers emphasize the importance of the ‘all-hazards approach’ in CIP.33 This means that all relevant agen-cies need to be involved and that the concrete protec-tion goals need to be formulated in a threat-neutral way.

Finally, there are also some decisions to be taken on the political level concerning the means by which a goal should be protected. This question is all the more important since many CIs are owned and op-erated by the private sector. Protection can only be achieved if all stakeholders act in concert. This means that specific protection goals should be defined incollaboration with the private sector. Such an em-powerment of non-state actors is not a routine pro-cess and needs to be anchored in political decisions. Hence, many strategies explicitly highlight the need for collaboration with the private sector.34 The prin-ciple of public-private collaboration is thus another important political decision that shapes the formula-tion of concrete protection goals for CIP.

33 Trusted Information Sharing Network for Critical Infrastruc-ture Protection (2004), Critical Infrastructure Protection National Strategy, p. 9. Available at: http://www.tisn.gov.au/www/tisn/rwpattach.nsf/VAP/(427A90835BD17F8C477D6585272A27DB)~Critical_Infrastructure_Protection_National_Strate-gy.pdf/$file/Critical_Infrastructure_Protection_National_Stra-tegy.pdf; Public Safety Canada (2009), Working Towards a National Strategy and Action Plan for Critical Infrastructure, p. 6. Available at: http://www.publicsafety.gc.ca/prg/em/ci/_fl/nat-strat-critical-infrastructure-eng.pdf.

34 The important role of public-private partnerships in CIP is not only articulated in the documents reviewed in this report, but also evident in the establishment of state-sponsored partnership platforms such as Australia’s Trusted Information Sharing Network (TISN), the United Kingdom’s Centre for the Protection of National Infrastructure (CPNI), and the United States Critical Infrastructure Partnership Advisory Council (CIPAC), Sector Coordinating Councils (SCC), and Government Coordinating Councils (GCC).

3.3.2 The Definition of Protection Goals in Consultative Processes with Practitioners

As indicated above, decisions on the political level determine theroomofmaneuverfor thedefinitionof protection goals for CIP. However, these goals are notonly influencedby top-downpoliticaldecisions,but also by bottom-up consultations with the own-ers and operators of CIs.

The private sector influences the definition of pro-tection goals in three different ways: First, the own-ers and operators of CI are represented in advisory boards for CIP and contribute directly to the develop-ment of national CIP policies. The best known historic example is the Advisory Committee to the President’s Commission for Critical Infrastructure Protection (PCCIP), which was composed of 15 industry leaders and informed the work of the PCCIP.35 Today, similar advisory bodies exist in many countries. Examples in-clude the Strategic Board for CIP (SOVI)36 in the Neth-erlands; the National Infrastructure Advisory Council (NIAC)37 in the United States; or the Critical Infra-structure Advisory Council (CIAC)38 in Australia. These advisory bodies are key actors in the development of CIPpoliciesandthushaveanimportantinfluenceonthedefinitionofgeneralprotectiongoals.

Secondly, private actors closely collaborate with sector-specific agencies to develop and implementprotection goals for their individual sectors. While

35 Kathi Ann Brown (2006), Critical Path. A Brief History of Critical Infrastructure Protection in the United States, George Mason University, pp.82ff.

36 https://www.navi-online.nl/content/24/SOVI+werkgroep (in Dutch).

37 http://www.dhs.gov/files/committees/editorial_0353.shtm.

38 http://www.tisn.gov.au/www/tisn/tisn.nsf/Page/Aboutthe-TISN_CriticalInfrastructureAdvisoryCouncil_CriticalInfrastruc-tureAdvisoryCouncil.

Protection Goals

15

such collaborations are well-established across most sectors and in most countries, they often remain in-formal and only rarely publish reports identifying sector-specific protection goals. The Sector-SpecificPlans in the United States,39 which are mandated by the National Infrastructure Protection Plan (NIPP) and publicly available, are an exception. These plans list the sector-specific goals and identify the part-ners that contributed to the development of these goals. Another example of a jointly developed sector-specificplanthatincludesprotectiongoalsistheCIPImplementation Plan in Germany (UP KRITIS)40 for the IT sector.

The thirdway inwhichprivateactors influence thedefinitionofprotectiongoalsconsistsoflobbyingac-tivity where industry groups try to shape CIP policies according to their interests. By talking to politicians or issuing white papers and press releases, lobbyists can advocate for the importance of their own sector and/or to push for government initiatives. For exam-ple, in its Information Security Policy Agenda 2007, the Information Technology Association of America (which is a leading industry group for United States IT and electronics businesses) writes that it is the or-ganization’s goal to ‘ensure that cyber security is an integral part of critical infrastructure protection.’41 Another example is the strong public support of the Australian Bankers’ Association for the development of the Trusted Information Sharing Framework.42

39 http://www.dhs.gov/files/programs/gc_1179866197607.shtm.

40 http://www.bmi.bund.de/cln_144/SharedDocs/Downloads/DE/Broschueren/DE/2007/Kritis.html (in German).

41 http://www.itaa.org/upload/infosec/docs/ITAA%20Info-Sec%20Public%20Policy%20Agenda%202007_FINAL.pdf.

42 http://www.bankers.asn.au/Critical-Infrastructure-Protection-Cybercrime-Submission-Lodged/default.aspx.

3.4 Conclusion

The three-level model in combination with the de-scription of the combined top-down/bottom-up pro-cess outlined above provides a useful framework for thedefinitionanduseofprotectiongoalsincriticalinfrastructure protection, as it ensures coherence be-tweentheCIPGsindifferentsectorsandasufficientlevelof specificationofCIPGswithin the individualsectors. Figure 4 outlines an ideal CIP framework for thisprocessofdefiningCIPGsandidentifiestwoar-eas of decision-making – the political level, where na-tionalsecuritypolicyandCIPisfirstarticulated,andthesector-specificlevel,wherethepublicandprivatesectors come together to create more tailored pro-tection objectives.

Beginning at the political level, protection goals are firstidentifiedatthehigheststrategiclevelsandar-ticulated in a national security framework/strategy. In this phase, overarching protection principles and goals, such as the protection of critical infrastructure, are addressed. The next step is the creation of CIP strategieswherespecificsectorsandsub-sectorsarehighlighted and protection principles (such as pro-moting information-sharing, utilizing a risk frame-work, creating public-private partnerships, etc.) are appliedandfurtherrefined.Thisstepleadstoapro-cess of policy transfer, with CIPGs developed at the politicallevelandappliedatthesector-specificlevelwhere public agencies and CI operators in the private sectorinteractandexchange.Thesector-specificlevelis where protection goals become customized based ontheparticularneedsofanidentifiedCIsector–re-sultingintheconstructionofsector-specificplans.Atthis stage, the role of the private sector is to man-age CI, liaise with the public sector, and articulate goals and measures to achieve protection. Within the public sector, specialized agencies work to commu-

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

16

nicate federal mandates to CI operators and create platforms for information-sharing and partnerships.

While the CIP framework described herein points to a traditional top-down process – with the top level setting the agenda – there are bottom-up forces that inform the political level, creating feedback loops. At both levels, a broader informing environment providesinsightsandinfluencetothoseidentifyinggoals and means of protection, for example. This in-formingenvironmentincludespublicofficialsandlo-cal/regional state agencies as well as those operating in the private sector and in academia/think-tanks. Overall,thisframeworkexemplifiesadynamic,inter-activeprocesswhereeachsphereofinfluencehasakey role to play in defining and refining protectiongoals.

If protection goals are to be defined for the SwissCIP strategy, they should be oriented towards what we called ‘protection policies’, which help to trans-late protection principles into less abstract concepts. It is the role of the FOCP, as the coordinating body, to ensure that future protection goals developed

in sectors and sub-sectors and the protection prin-ciples and policies are in line with each other. The workingdefinitionofprotectiongoals (tobe foundin the document “Grundstrategie des Bundesrates zum Schutz Kritischer Infrastrukturen: Basis für die nationale Strategie zum Schutz Kritischer Infrastruk-turen”, May 2009 [and approved by the Federal Coun-cil in June 2009] www.infraprotection.ch) adopts a very similar understanding.43 The downside of vague protectiongoalsisthatitbecomesmoredifficultto‘measure’ the success of protection measures. It is, however, not impossible: The quality of information exchange in public-private partnerships or the level of resilience are examples of how success in critical infrastructure protection can be measured.

43 “The protection goals describe the level of security to be at-tainedandfinancedanddeterminetherespectiveprotectivemeasures. The protection goals themselves are not absolute and depend on the security policy situation. General protection goalsmaybeinferredfromthestatusreport,whilespecificprotection goals must be agreed for each infrastructure sector (e.g., minimum level of power supply in the energy sector). They depend on the nature of the infrastructure and its criticality” (p. 2). However, because protection goals are neces-sarily vague in CIP, it does not make sense to change them in the case of ‘exceptional situations’ (e.g., war) (as stated in the same document). The goal of CIP is to ensure that the neces-sary level of services is upheld regardless of the type and level of threats in the environment – and at all times.

Protection Goals

17

CRITICAL INFRASTRUCTURE PROTECTION FRAMEWORK

National Security Strategy/Framework

Identification of Critical Infrastructure as Security Priority

CIP policy communicated to regional & local agencies; CI private sector actors identified

Coordination between levels: translate policy from political to public-private level and vice versa

Political Level

Sector- Specific Level

Private Sector (CI operators)

Create Sector- Specific

Public Sector (specialized agencies)

Top-

Dow

n Pr

oces

s: Po

litic

al D

ecis

ions

Bottom-U

p Process: Public &

Private Consultations

Figure 4: CIP Framework

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

18

4 AN

NEX

4.1

Prot

ectio

n Go

als (

Text

s)

‘Pro

tect

ion

Goa

ls’ i

n N

atio

nal S

ecur

ity

Stra

tegy

Offi

cial

CIP

Str

ateg

y (w

ith P

rote

ctio

n G

oals)

Sect

or-S

peci

fic P

rote

ctio

n G

oals

Aust

ralia

‘CIP

is c

ente

red

on t

he n

eed

to m

inim

ize

risks

topub

lichealth

,safetyandconfi

dence,ensure

econ

omic

secu

rity,

mai

ntai

n Au

stra

lia’s

inte

rna-

tiona

l com

petit

iven

ess

and

ensu

re th

e co

ntin

u-ity

of g

over

nmen

t ser

vice

s’.44

Australiamaintainsse

ctor-specificgoalsinth

earea

of C

IIP.

Ove

rall

goal

s in

clud

e: a

war

enes

s-ra

isin

g,

prom

otin

g e-

secu

rity

skill

s, ad

vanc

ing

rese

arch

and

de

velo

pmen

t, an

d co

ordi

natin

g th

e go

vern

men

t policiesrelatedtoe-security.M

orespecifically,agen-

cies

hav

e be

en m

anda

ted

to a

ddre

ss s

ophi

stic

ated

andtargetedattacksth

atarediffi

culttodetectand

fig

htbyconventio

nalm

easures.TheE-Securityna

-tio

nalpolicystatem

ent,up

datedin200

7,identifi

ed

redu

cing

e-S

ecur

ity r

isks

to

stat

e in

form

atio

n an

d co

mm

unic

atio

n sy

stem

s as

a k

ey g

oal.45

In p

artic

u-lar,thedocumentidentifiedth

eprotectio

nrolesof

vario

us d

epar

tmen

ts, i

nclu

ding

tho

se o

f th

e D

e-fe

nse

Sign

als

Dire

ctor

ate

(DSD

);46 t

he D

epar

tmen

t of

Fin

ance

and

Adm

inis

trat

ion’

s G

over

nmen

t Inf

or-

mationManagem

entOffice;47

the

Atto

rney

-Gen

er-

al’s

Dep

artm

ent (

AGD)

; the

Aus

tral

ian

Fede

ral P

olic

e (A

FP);

the

Dep

artm

ent

of C

omm

unic

atio

ns, I

nfor

-m

atio

n Te

chno

logy

and

the

Art

s (D

CITA

); an

d th

e Au

stra

lian

Com

mun

icat

ions

and

Med

ia A

utho

rity.

Cana

da1.

Pr

otec

ting

Cana

da a

nd C

anad

ians

at

hom

e an

d ab

road

;

2. en

surin

g Ca

nada

is n

ot a

bas

e fo

r th

reat

s to

its a

llies

; and

3. Co

ntrib

utin

g to

inte

rnat

iona

l sec

u-rit

y.48

‘The

ulti

mat

e ou

tcom

e of

the

CIP

str

ateg

y w

ill

beth

atCIissufficientlyresilient,therebyassur

-in

g th

e co

ntin

ued

avai

labi

lity

of e

ssen

tial s

er-

vice

s to

Cana

dian

s.’49

44

Trus

ted

Info

rmat

ion

Shar

ing

Net

wor

k fo

r Crit

ical

Infr

astr

uctu

re P

rote

ctio

n (2

004)

, Cr

itica

l Inf

rast

ruct

ure

Prot

ectio

n N

atio

nal S

trat

egy

vers

ion

2.1,

p. 5

. 45http://www.dbcde.gov.au/__data/assets/pdf_file/00

11/71201/ESNA_Public_Policy_

Stat

emen

t.pdf

.46

Ib

id., p

. 3.

47

Ibid

.

48

Her

Maj

esty

the

Que

en in

Rig

ht o

f Can

ada

(200

4), S

ecur

ing

an O

pen

Soci

ety:

Cana

da’s

Nat

iona

l Sec

urity

Pol

icy,

p. v

ii.

49

Publ

ic S

afet

y an

d Em

erge

ncy

Prep

ared

ness

Can

ada

(200

4), G

over

nmen

t of C

anad

a Po

sitio

n Pa

per o

n a

Nat

iona

l Str

ateg

y fo

r Crit

ical

Infr

astr

uctu

re P

rote

ctio

n, p

. 6.

Protection Goals

19

Ger

man

yW

icht

igst

es i

nhal

tlich

es Z

iel

der

Nat

iona

len

Stra

tegi

e is

t es

, das

Sch

utzn

ivea

u fü

r di

e Kr

i-tis

chen

Inf

rast

rukt

uren

in

Deu

tsch

land

dur

ch

geei

gnet

e un

d m

it al

len

Akte

uren

abg

estim

mte

M

aßna

hmen

geg

enüb

er d

en v

orha

nden

en u

nd

zu e

rwar

tend

en R

isik

en s

o an

zupa

ssen

, das

s-Ri

sike

n im

Vor

feld

erk

annt

wer

den,

gra

vier

ende

St

örun

gen

und

Ausf

älle

ver

mie

den

bzw

. au

f ei

n M

inde

stm

aß b

esch

ränk

t w

erde

n (P

räve

n-tio

n);

Folg

en

von

Stör

unge

n un

d Au

sfäl

len

durc

h N

otfa

llman

agem

ent,

Redu

ndan

zen

und

Selb

sthi

lfeka

pazi

täte

n so

ger

ing

wie

mög

lich

geha

lten

wer

den

(Rea

ktio

n) u

nd la

ufen

d fo

rtge

-sc

hrie

bene

Gef

ährd

ungs

anal

ysen

sow

ie A

naly

-se

n vo

n St

örfä

llen

zur V

erbe

sser

ung

der S

chut

z-st

anda

rds g

enut

zt w

erde

n (N

achh

altig

keit)

.50

Ger

man

y em

phas

izes

the

impo

rtan

ce o

f CIIP

as

il-lu

stra

ted

in t

he 2

005

Nat

iona

ler

Plan

zum

Sch

utz

der

Info

rmat

ions

infra

stru

ktur

(N

PSI)

and

the

sub-

sequ

ent

2007

rep

ort

Um

setz

ungs

plan

KRI

TIS.

The

protectio

ngoalsa

redefinedthemostclearlyinth

is

docu

men

t’s g

loss

ary:

IT-S

iche

rhei

t - Z

usta

nd, in

dem

Ve

rfüg

bark

eit,

Inte

gritä

t und

Ver

trau

lichk

eit v

on In

-fo

rmat

ione

n un

d In

form

atio

nste

chni

k ge

schü

tzt

sind

.

In p

artic

ular

, the

se d

ocum

ents

als

o hi

ghlig

ht t

he

fact

that

, in a

dditi

on to

pro

tect

ing

the

criti

cal i

nfor

-m

atio

n in

fras

truc

ture

, the

IT d

imen

sion

of

this

CI

sect

or s

houl

d al

so b

e fa

ctor

ed in

. Thi

s in

clud

es th

e co

ntin

ued

safe

ty o

f con

trol

cen

ters

, pro

cess

con

trol

technology,sup

plychainmanagem

ent,trafficman

-agem

ent,trafficsa

fety,and

navigation.

Net

herla

nds

The

goal

of

the

stra

tegy

for

nat

iona

l se

curit

y is

to

prot

ect

the

vita

l int

eres

ts

of t

he N

ethe

rland

s in

ord

er t

o pr

even

t so

ciet

al d

isru

ptio

n. 51

With

reg

ard

to t

he p

rote

ctio

n of

crit

ical

infr

a-st

ruct

ures

in t

he N

ethe

rland

s, th

e pr

ofes

sion

al

and

polit

ical

am

bitio

n le

vel a

ims

to e

nsur

e th

at

the

gove

rnm

ent

and

busi

ness

sec

tor

take

re-

spon

sibi

lity

and

wor

k to

geth

er to

:

1. do

eve

ryth

ing

poss

ible

to p

reve

nt th

e la

rge-

scal

e fa

ilure

or

disr

uptio

n of

crit

ical

inf

ra-

stru

ctur

es (p

reve

ntio

n);

2. en

sure

that

the

coun

try

is p

rope

rly p

repa

red

for

the

cons

eque

nces

sho

uld

such

a fa

ilure

or

dis

rupt

ion

occu

r (pr

epar

atio

n);

3. ta

ke e

ffect

ive

mea

sure

s to

min

imiz

e th

e lo

ss

that

occ

urs a

s a re

sult

of fa

ilure

or d

isru

ptio

n (re

pres

sion

). 52

50

Bund

esm

inis

teriu

m d

es In

nern

(200

9), N

atio

nale

Str

ateg

ie zu

m S

chut

z Krit

isch

er

Infr

astr

uktu

ren

(KRI

TIS-

Stra

tegi

e), p

p. 12

f. Av

aila

ble

at: h

ttp:

//w

ww

.bm

i.bun

d.de

/Sha

redD

ocs/

Pres

sem

ittei

lung

en/D

E/20

09/m

itMar

gina

lspa

lte/0

6/kr

itis.

htm

l?nn=

1062

28.

51

Min

istr

y of

the

Inte

rior a

nd K

ingd

om R

elat

ions

(200

7), N

atio

nal S

ecur

ity S

trat

egy

and

Wor

k Pr

ogra

mm

e 20

07-2

008,

p. 1

6.

52

Min

istr

y of

the

Inte

rior a

nd K

ingd

om R

elat

ions

(200

4), C

ritic

al In

fras

truc

ture

Pro

-te

ctio

n in

the

Net

herla

nds.

The

Dut

ch A

ppro

ach

to C

IP, p

. 11.

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

20

Nor

way

‘Crit

ical

infr

astr

uctu

res

are

thos

e co

nstr

uctio

ns

and

syst

ems

that

are

ess

entia

l in

orde

r to

up-

hold

soc

iety

’s cr

itica

l fun

ctio

ns, w

hich

in t

ime

safe

guar

d so

ciet

y’s

basi

c ne

eds

and

the

feel

ing

of sa

fety

and

secu

rity

in th

e ge

nera

l pub

lic.’53

The

Nat

iona

l G

uide

lines

to

Stre

ngth

en I

nfor

ma-

tionSecurity2007–2010identifi

edth

reeprotectio

ngo

als i

n th

e ar

ea o

f inf

orm

atio

n se

curit

y:54

Res

ilien

t an

d se

cure

crit

ical

infr

astr

uctu

res

and

supp

ort s

ys-

tem

s fo

r crit

ical

soc

ieta

l fun

ctio

ns; a

goo

d se

curit

y cu

lture

gui

ding

the

dev

elop

men

t an

d us

e of

info

r-m

atio

n sy

stem

s an

d sh

arin

g of

ele

ctro

nic

info

rma-

tion;

hig

h co

mpe

tenc

e an

d a

focu

s on

res

earc

h ab

out i

nfor

mat

ion

secu

rity.

The

gove

rnm

ent

oblig

es a

ll ow

ners

of C

II to

ado

pt

prot

ectiv

e m

easu

res

and

build

mor

e re

dund

ancy

in

to in

form

atio

n sy

stem

s.55

Swed

enTh

e re

port

Info

rmat

ion

Secu

rity

in S

wed

en –

Situ

-at

iona

l Ass

essm

ent

2009

definesprotectio

ngoals

in th

e ar

ea o

f inf

orm

atio

n se

curit

y “a

s the

abi

lity

to

maintainthedesiredlevelofconfid

entia

lity,integ-

rity

and

avai

labi

lity

whe

n ha

ndlin

g in

form

atio

n.”56

Th

is in

clud

es p

rote

ctin

g no

t on

ly in

form

atio

n sy

s-te

ms,

but

also

info

rmat

ion

man

agem

ent

syst

ems

that

are

crit

ical

to

soci

ety.57

The

200

8 Ac

tion

Plan

forInformationSecurityd

efinedthisrelatio

nshipas

“soc

ieta

l in

form

atio

n se

curit

y”.58

Pro

tect

ion

goal

s in

Sw

eden

’s IT

sec

tor

are

thus

tai

lore

d to

war

ds

not

only

sec

urin

g th

e ph

ysic

al i

nfor

mat

ion

infr

a-st

ruct

ure,

but a

lso

prov

idin

g no

n-ph

ysic

al in

form

a-tio

n se

curit

y w

here

issu

es s

uch

as m

ass

disr

uptio

n ca

used

by

hack

ing,

frau

d, a

nd d

isse

min

atio

n of

ma-

licio

us co

de a

re o

f con

cern

. Pro

tect

ion

goal

s are

par

-tic

ular

ly ta

rget

ed fo

r int

erne

t sec

urity

, med

ical

car

e an

d he

alth

care

, and

e-g

over

nmen

t.

53

Min

istr

y of

Just

ice

and

the

Polic

e (2

006)

, Pro

tect

ion

of cr

itica

l inf

rast

ruct

ures

and

cr

itica

l soc

ieta

l fun

ctio

ns in

Nor

way

. Rep

ort N

OU

200

6:6,

subm

itted

to th

e M

inis

try

of Ju

stic

e an

d th

e Po

lice

by th

e go

vern

men

t app

oint

ed co

mm

issi

on fo

r the

pro

tec-

tion

of cr

itica

l inf

rast

ruct

ure

on 5

th A

pril

2006

, p. 4

. 54

Th

e N

orw

egia

n G

over

nmen

t, 20

07. N

atio

nal G

uide

lines

to S

tren

gthe

n In

form

atio

n Se

curit

y 20

07-2

010.

Ava

ilabl

e at

: htt

ps://

ww

w.n

sm.st

at.n

o/D

ocum

ents

/KIS

/Pub

-lik

asjo

ner/

Nat

iona

l%20

Gui

delin

es%

20on

%20

Info

rmat

ion%

20Se

curit

y%20

2007

-20

10.p

df.

55

Ibid

., p. 1

1.

56

Ibid

., p. 1

3.57

Ib

id., p

p. 14

f. An

info

rmat

ion

infr

astr

uctu

re sy

stem

is co

nsid

ered

criti

cal t

o th

e fu

nc-

tioni

ng o

f soc

iety

if it

mee

ts th

e fo

llow

ing

crite

ria: 1

). A

shut

dow

n or

seve

re d

isru

p-tio

n in

its f

unct

ion,

sing

leha

nded

ly o

r in

com

bina

tion

with

oth

er si

mila

r eve

nts,

can

rapi

dly

lead

to a

serio

us e

mer

genc

y in

soci

ety;

2). it

s soc

ieta

l fun

ctio

n is

impo

rtan

t or

ess

entia

l for

resp

ondi

ng to

an

exis

ting

serio

us e

mer

genc

y an

d m

inim

izin

g th

e da

mag

e.58

Ib

id., p

. 15.

Protection Goals

21

Uni

ted

King

dom

It is

the

cou

ntry

’s ‘si

ngle

ove

rarc

hing

na

tiona

l sec

urity

obj

ectiv

e […

to] p

rote

ct

[…]

the

Uni

ted

King

dom

and

its

inte

r-es

ts, e

nabl

ing

its p

eopl

e to

go

abou

t theirdailylivesfreelyand

with

confi-

denc

e, in

a m

ore

secu

re, s

tabl

e, ju

st a

nd

pros

pero

us w

orld

’59

Redu

ce v

ulne

rabi

lity

of t

he n

atio

nal i

nfra

stru

c-tu

re to

terr

oris

m a

nd o

ther

thre

ats,

keep

ing

the

Uni

ted

King

dom

’s es

sent

ial s

ervi

ces s

afer

.60

Uni

ted

Stat

es‘P

rote

ct[io

n of

] th

e Am

eric

an p

eopl

e, ou

r cr

itica

l inf

rast

ruct

ures

, and

key

re-

sour

ces’.

61

‘bui

ld a

saf

er, m

ore

secu

re, a

nd m

ore

resi

lient

Am

eric

a by

pre

vent

ing,

det

errin

g, n

eutr

aliz

ing,

or

miti

gatin

g th

e ef

fect

s of d

elib

erat

e ef

fort

s by

terr

oris

ts to

des

troy

, inca

paci

tate

, or e

xplo

it el

e-m

ents

of

our

Nat

ion’

s CI

KR a

nd t

o st

reng

then

na

tiona

l pr

epar

edne

ss,

timel

y re

spon

se,

and

rapi

d re

cove

ry o

f CIK

R in

the

even

t of a

n at

tack

, na

tura

l dis

aste

r, or o

ther

em

erge

ncy.’

62

TheUnitedStateshascreatedsector-specificplans

fora

llidentifi

edcriticalsectors,som

eofwhichare

publ

ical

ly a

vaila

ble.

Man

y sh

are

com

mon

cha

rac-

teris

tics

and

over

arch

ing

goal

s. Fo

r ex

ampl

e, th

e m

ain

goal

s in

the

wat

er s

ecto

r63 in

clud

e: (1

) sus

tain

pr

otec

tion

of p

ublic

hea

lth a

nd th

e en

viro

nmen

t; (2

) re

cogn

ize

and

redu

ce r

isks

; (3)

mai

ntai

n a

resi

lient

in

fras

truc

ture

; an

d (4

) in

crea

se c

omm

unic

atio

n,

outreach,and

pub

licconfid

ence.C

orresponding

ly,

thegoalsinth

eenergysectora

reidentifi

edas:re

-lia

ble

info

rmat

ion-

shar

ing,

effe

ctiv

e ris

k m

anag

e-m

ent

prog

ram

s, co

ordi

nate

d re

spon

se c

apab

ilitie

s, an

d tr

uste

d re

latio

nshi

ps b

etw

een

publ

ic a

nd p

ri-va

te s

ecur

ity p

artn

ers

at a

ll le

vels

of

indu

stry

and

go

vern

men

t. Fo

r th

e IT

sec

tor,

oper

ator

s ar

e to

en-

hanc

e pr

even

tion

and

prot

ectio

n th

roug

h th

ree

guid

ing

area

s ut

ilizi

ng:64

a r

isk

man

agem

ent

ap-

proa

ch; s

ituat

iona

l aw

aren

ess;

and

resp

onse

, rec

ov-

ery,

and

reco

nstit

utio

n.

59CabinetO

ffice(200

8),TheNationalSecurityStrategyofth

eUnitedKing

dom:Secu-

rity

in a

n in

terd

epen

dent

wor

ld, p

. 5.

60 h

ttp:

//w

ww

.cpni

.gov

.uk/

defa

ult.a

spx.

61

Hom

elan

d Se

curit

y Co

unci

l (20

07),

Nat

iona

l Str

ateg

y fo

r Hom

elan

d Se

curit

y, p.

1.

62

Dep

artm

ent o

f Hom

elan

d Se

curit

y (2

009)

, Nat

iona

l Inf

rast

ruct

ure

Prot

ectio

n Pl

an.

Part

nerin

g to

enh

ance

pro

tect

ion

and

resi

lienc

y, p.

1.

63

http

://w

ww

.dhs

.gov

/xlib

rary

/ass

ets/

nipp

-ssp

-wat

er.p

df

64

Dep

artm

ent o

f Hom

elan

d Se

curit

y (2

007)

, Info

rmat

ion

Tech

nolo

gy C

ritic

al

Infrastructureand

KeyResourcesSectorSpecificPlanasInpu

ttotheNational

Infr

astr

uctu

re P

rote

ctio

n Pl

an, p

.2. h

ttp:

//w

ww

.dhs

.gov

/xlib

rary

/ass

ets/

nipp

-ssp

-in

form

atio

n-te

ch.p

df

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

22

4.2 Annotated Bibliography

4.2.1 Policy documents/reports

Australia. 2004. Critical Infrastructure Protection National Strategy. Trusted Information Sharing Net-work for Critical Infrastructure Protection. Available at: www.tisn.gov.au/www/tisn/rwpattach.nsf/VAP/.../t0KMVCM4.pdfThis strategy is intended to provide an overarching statement of principles for critical infrastructure pro-tection in Australia, and outline the major tasks and assign responsibilities necessary for their application. This strategy is for use not only by government, but also by the owners and operators of infrastructure, their representative bodies, professional associa-tions, regulators and standards setting institutions. The strategy provides guidance for the medium term, witha three tofive yearoutlook. Itwill requirede-tailed implementation plans by governments and industry sectors, and will require the development of interfaces with many other areas of public policy.

Australia. 2008. Attorney General’s Portfolio Security Environment Update 2007–08. Attorney General Of-fice. Available at: http://www.ag.gov.au/www/agd/rwpat-tach.nsf/VAP/(878CAEAF8D7CA41B4CD31727CCC28450)~Security+Environment+Update+2007-2008+(Budget+2007).p d f/ $ f i l e / S e c u r i t y + E nv i ro n m e n t + U p d at e + 2 0 0 7 -2008+(Budget+2007).pdfThis document refers to the Australian national se-curity framework where CI is noted as an asset to protect. Protecting the state from the threat of ter-rorism is the focus. In response, strong cooperation between the Commonwealth, State, Territory and lo-calgovernmentsisidentifiedasawaytocounterthisthreat. The update also notes that businesses and the broader Australian community also have an im-portant role to play.

Australia. 2009. Defending Australia in the Asia Pa-cific Century: Force 2030. Department of Defense, White Paper. Available at: http://www.defence.gov.au/whitepaper/docs/defence_white_paper_2009.pdfThis new Defence White Paper explains how the Gov-ernment plans to strengthen the foundations of Aus-tralia’s defence. It sets out the Government’s plans for Defence for the next few years, and how it will achieve those plans. Most importantly, it provides an indication of the level of resources that the Govern-ment is planning to invest in Defence over coming years and what the Government, on behalf of the Australian people, expects in return from Defence.

Canada. 2009. Working towards a National Strat-egy and Action Plan for Critical Infrastructure. Public Safety Canada. Available at: http://www.publicsafety.gc.ca/prg/em/cip/strat-part1-eng.aspxThis document lays out a proposed national strategy and action plan for critical infrastructure with the goal of enhancing the resiliency of Canada’s critical infrastructure and protecting it from disruptions. Theactionplanidentifiesthreekeythemes:creatingtrusted partnerships across all levels of government and the private sector, committing to an all-hazards risk management approach, and improving informa-tion sharing and protection.

Jenkins Jr., W.O. 2009. Preliminary Observations on FEMA’s Community Preparedness Programs Related to the National Preparedness System. United States Government Accountability Office, Testimony before the Subcommittee on Emergency Communications, Preparedness, and Response, Committee on Home-land Security, House of Representatives. 1 October. Available at: http://www.upmc-biosecurity.org/sebin/u/t/fema_emerg_mgmnt_prelim_obsrv_fema.pdf This testimony provides preliminary observations on (1) challenges FEMA faces in measuring the perfor-

Protection Goals

23

mance of Citizen Corps, its partner programs, and the Ready Campaign and (2) actions FEMA has taken to develop a strategy to encompass how Citizen Corps, its partner programs, and the Ready Campaign op-erate within the context of the NPS. This testimony is based on work conducted from February 2008 to October 2009. GAO analyzed documents, such as FEMA’s strategic plan, and compared reported per-formance data with observations from 12 site visits, selected primarily based on the frequency of natural disasters. The results are not projectable, but provide local insights.

Sweden. 2009. Information Security in Sweden –Sit-uational assessment 2009.Available at: http://www.msbmyndigheten.se/upload/Publikationer/0119_09_Infor-mation_security_in_Sweden.pdf The situational assessment constitutes support for players in society who are involved in managing infor-mation-security issues. The assessment is primarily based on developments during 2008 and the begin-ning of 2009. The report notes the increasing depen-dence on IT and the development of multiple threats and vulnerabilities; stressing the threat posed by cy-bercrime. It further proposes various measures (such as skills enhancement, promoting international col-laboration, and establishment of basic information security) to enhance information security.

United Kingdom. 2009. The National Security Strat-egy of the United Kingdom: Update 2009 – Security for the Next Generation. UK Cabinet Office. Avail-able at: http://www.cabinetoffice.gov.uk/media/216734/nss2009v2.pdf‘Security for the Next Generation’ is the first an-nual update of the National Security Strategy and sets out an updated assessment of the national se-curity threats facing the UK and includes proposals for combating threats to cyber security. The previous

report, UK National Security Strategy – Security in an Interdependent World, was published in 2008. It also notes how the UK is addressing changing security threats in long-established environments and tack-ling challenges in new and evolving domains such as cyberspace.

United States. 2007. Critical Infrastructure Protec-tion: Sector-Specific Plans’ Coverage of Key Cyber Security Elements Varies. United States Government Accountability Office, Report to Congressional Re-questers. Available at: http://www.gao.gov/new.items/d08113.pdfThis report is based on a study performed to evalu-atesector-specificplansintheareaofcybersecurity.The findings revealed that the plans varied in howcomprehensively they addressed the cyber security aspects and argued that without comprehensive plans, stakeholders within the infrastructure sectors may not adequately identify, prioritize, and protect their critical assets, systems, networks, and func-tions;bepreparedtorespondtoasignificantattack;or identify the cyber risks they face. It concluded by recommending that DHS work with the sector rep-resentativestoensurethattheareasnotsufficientlyaddressed are covered.

4.2.2 Academic literature

Caudle, S.L. 2009. National Security Strategies: Se-curity from What, for Whom, and by What Means. . Journal of Homeland Security and Emergency Man-agement, 6(1), Article 22. Available at: http://www.be-press.com/jhsem/vol6/iss1/22/ This article argues that fundamental changes are taking place in how countries view, approach, and implement strategies to protect their ‘national se-curity.’ In the past, strategies underlying national

CRN REPORT Focal Report 4 – Critical Infrastructure Protection

24

security narrowly focused on threats that could be addressed by military and/or diplomatic means. Now, however, ‘national security’ is viewed in a much broader context, with the focus on preserving that which makes a country unique, and that includes the intangibles of its culture as well as what physically lies within its borders. The result is that countries are revising existing national security strategies (includ-ing those covering homeland security or domestic security) or crafting entirely new ones to address this much broader view of that which is to be pro-tected. Drawing on recent literature and documents addressing diverse national security strategies, this article discusses the following areas: (1) the defini-tion of national security, (2) the purpose of a national security strategy, (3) how a national security strategy is evaluated, and (4) implications for The National Se-curity Strategy of the United States and The National Strategy for Homeland Security as a new Administra-tion governs.

Rose, A.Z. 2009. A Framework for Analyzing the Total Economic Impacts of Terrorist Attacks and Natural Disasters. Journal of Homeland Security and Emer-gency Management, 6 (1), Article 9. Available at: http://www.bepress.com/jhsem/vol6/iss1/9/ Policies to mitigate natural hazards and terrorism are facing increasing scrutiny, such as the benefit-cost

test.Thebenefitsarethelossesthatcanbeavoidedby the mitigation actions. For sound policy-making, it is therefore necessary that the various types of losses andmajor factorsaffecting thembe identifiedandthat metrics be established for their measurement in accordance with economic principles. This paper presents a comprehensive framework for the analysis and measurement of ordinary economic impacts and two categories of impacts that have recently gained the attention of analysts and policy makers, but for which operational definitions are lacking. The firstis resilience, which refers to how the economy man-ages to keep functioning and how quickly it recovers. The second major extension of loss estimation per-tains to behavioral and systems linkages. These re-fer to considerations unique to disasters that cause indirect impacts to be orders of magnitude greater than ordinary indirect effects in cases where risks are amplified, systemsareoverwhelmed, and resilienceis eroded. The framework combines a checklist of typesofimpacts,consistentdefinitions,metrics,andstrategies for estimation. The framework is serving as a template for loss estimation and benefit-costanalysisbyseveralofficesoftheU.S.DepartmentofHomeland Security.

The Center for Security Studies (CSS) at ETH Zurich specializes in research, teaching, and infor-mation services in the fields of international relations and security policy. The CSS also acts as a consultant to various political bodies and the general public. The Center is engaged in research projects with a number of Swiss and international partners, focusing on new risks, European and transatlantic security, strategy and doctrine, state failure and state building, and Swiss foreign and security policy.

The Crisis and Risk Network (CRN) is an Internet and workshop initiative for international dialog on national-level security risks and vulnerabilities, critical infrastructure protection (CIP) and emergency preparedness.As a complementary service to the International Relations and Security Network (ISN), the CRN is coordinated and developed by the Center for Security Studies at the Swiss Federal Institute of Technology (ETH) Zurich, Switzerland. (www.crn.ethz.ch)

ETH ZurichCSS CRN REPORT

Focal Report 4

Critical Infrastructure ProtectionProtection Goals

Zurich, February 2010

Crisis and Risk Network (CRN)Center for Security Studies (CSS), ETH Zürich

Commissioned by the Federal Office for Civil Protection (FOCP)

Supported by ISNCRN